Forum Discussion
Juerg_Wiesmann
Dec 16, 2008Nimbostratus
How I created the iRule based on _sys_auth_radius
What it will do is adding a Cookie "Welcome" to the response when Authentication on BIG-IP was successful.
If Cookie exists no further Authentication takes place on the BIG-IP and the Request is forwaded to the destination after (Authentication Header is removed)
when HTTP_REQUEST {
set doit "bad"
if { not [ HTTP::cookie exists "Welcome"] } {
set doit "bad"
if {not [info exists tmm_auth_http_sids(radius)]} {
set tmm_auth_sid [AUTH::start pam default_radius]
set tmm_auth_http_sids(radius) $tmm_auth_sid
if {[info exists tmm_auth_subscription]} {
AUTH::subscribe $tmm_auth_sid
}
} else {
set tmm_auth_sid $tmm_auth_http_sids(radius)
}
AUTH::username_credential $tmm_auth_sid [HTTP::username]
AUTH::password_credential $tmm_auth_sid [HTTP::password]
AUTH::authenticate $tmm_auth_sid
if {not [info exists tmm_auth_http_collect_count]} {
HTTP::collect
set tmm_auth_http_successes 0
set tmm_auth_http_collect_count 1
} else {
incr tmm_auth_http_collect_count
}
} else {
HTTP::header remove Authorization
}
}
when AUTH_RESULT {
if {not [info exists tmm_auth_http_sids(radius)] or \
($tmm_auth_http_sids(radius) != [AUTH::last_event_session_id]) or \
(not [info exists tmm_auth_http_collect_count])} {
}
if {[AUTH::status] == 0} {
incr tmm_auth_http_successes
set doit "ok"
}
If multiple auth sessions are pending and
one failure results in termination and this is a failure
or enough successes have now occurred
if {([array size tmm_auth_http_sids] > 1) and \
((not [info exists tmm_auth_http_sufficient_successes] or \
($tmm_auth_http_successes >= $tmm_auth_http_sufficient_successes)))} {
Abort the other auth sessions
foreach {type sid} [array get tmm_auth_http_sids] {
unset tmm_auth_http_sids($type)
if {($type ne "radius") and ($sid != -1)} {
AUTH::abort $sid
incr tmm_auth_http_collect_count -1
}
}
}
If this is the last outstanding auth then either
release or respond to this session
incr tmm_auth_http_collect_count -1
if {$tmm_auth_http_collect_count == 0} {
unset tmm_auth_http_collect_count
if { [AUTH::status] == 0 } {
HTTP::release
} else {
HTTP::respond 401
}
}
}
when HTTP_RESPONSE {
if {not [ HTTP::cookie exists "Welcome"] } {
if { $doit eq "ok"} {
HTTP::cookie insert name "Welcome" value [IP::client_addr]
log local0. "cookie please" }
}}